Splunk Search

How to use OR or AND in searchmatch(X) function?

dniraula
New Member

I am trying to use following query to generate some report put seems OR and AND is not working in searchmatch.

index=xxx sourcetype=xxxx | timechart count(eval(searchmatch("Login successful OR logged in"))) as Success,count(eval(searchmatch("Authentication failure OR Failed User"))) as Failed by sourcetype

It is working perfectly if I didn't use OR. Is there any alternative query to get same result as above query?

Tags (1)
0 Karma

Ayn
Legend

searchmatch(str) is really just an alias for match(_raw, str) and they're both regex based. So what you need is to use the pipe character which denotes an OR in regex:

... searchmatch("Authentication failure|Failed User")

wrangler2x
Motivator

Actually, what I am finding on the 6.x releases is that using a pipe in searchmatch as OR does not work -- it throws an error. However, if you use the match(_raw,regex) instead, the regex can have a pipe in it there.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...